Cory DoctorowToday's threads (a thread)
Inside: When Facebook came for your battery, feudal security failed; and more!
Archived at: https://pluralistic.net/2023/02/05/battery-vampire/
1/
kurtseifried (he/him)@pluralistic So I need to write this up properly, but TL;DR: this is also coming to Google Chrome in the form of Root Server Certificates, you/your platform won't get to choose anymore, Google will to ensure a "consistent experience across platforms". It's also not clear if you'll be able to modify it easily moving forwards (I assume it will still be possible, but it might get setup as an Enterprise-only feature based on their current language): https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#can-you-help_i_m-experiencing-problems https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled
0xC0DEC0DE07EA@kurtseifried @pluralistic what does this mean for enterprises that MITM proxy HTTPS traffic as part of their firewall and security setup?
@c0dec0dec0de @pluralistic They'll have to install the certs into the browser and hope the stuff they're MitM's isn't pinning or using other techniques that explicitly are meant to block this. To quote myself:
If your network security depends on you behaving like a malicious nation-state to your users, you're going to have a bad time long term.